Lock in System Security With Bastille

The glamorous new kids in the Linux security parade are SELinux, AppArmor, and all manner of virtualization technologies. (Though it is being discovered that virtual machines, just like chroot jails, aren't all that difficult to break out of, so don't count on them for strong security.)

SELinux and AppArmor may be new and glamorous, but for classic Linux and Unix Security, look no further than Bastille.

It is best to run Bastille on a fresh, newly installed system that has not yet been connected to an untrusted network. You can use it on an existing system, but to be 100 percent certain you're not hardening a compromised system you must start fresh.

Bastille Name Change

Bastille has officially renamed itself to Bastille Unix because it also supports Mac OS X and HP-UX. And there is drama with a domain-name squatter that somehow gained control of http://www.bastille-linux.org, so the official site is http://www.bastille-unix.org. Anyone interested can read all about it, here. Just remember to visit http://www.bastille-unix.org to read the official site, not the other one.

Supported Systems

Bastille does not work for every Linux distribution. So far it supports Red Hat and its clones (e.g., CentOS and Pie Box), Fedora, SUSE, Debian, Gentoo and Mandriva; and HP-UX and Mac OS X. It works on Kubuntu, and it may work on other descendants such as Sabayon (Gentoo), but I haven't tried them yet.

Assessment Mode

Bastille has introduced a new assessment and reporting utility, bastille --assess. This works only on Red Hat and its clones and SUSE. If you run it on an unsupported system, it will helpfully complain and give you a list of platforms that it does support.

Make sure you have the perl-Tk package installed, and perl-Curses for the Ncurses interface. Then fetch and install the Bastille RPM from its distribution site and install it with :

# rpm -ivh Bastille-3.0.9-1.0.noarch.rpm

Then run it in assessment mode:

# bastille --assess

This does a read-only scan of your system and generates a nice report like this one. It provides a snapshot of your system without making an entire Bastille run first. Making before and after assessment reports can be a valuable exercise and will help you with fine-tuning. You can take this a step further and assign different weights to the various items; the defaults may not reflect your policies or priorities, and you may tweak them to suit.

I'm not going to discuss every option and will instead hit just the high points. Most options depend on how tightly you must lock down your system, and Bastille gives you a lot of information as you go.

Bastille runs either in a Ncurses interface or in X using Perl-Tk. To me, the Perl-Tk interface is not very readable and clunky, so I use Ncurses. This opens the Perl-Tk interface:

# bastille -x

Run it in Ncurses like this:

# bastille -c

bastille -r is a safety catch. It reverses all changes, so don't be afraid to dive in. However, if you do change your mind, you want to do it right away, not months later after you've made who-knows-what changes to your system. bastille --log lets you make a dry-run with no changes.

Give yourself about 30 minutes. Don't hurry: The idea is to learn as well as do.

Configuration Questions  Answered

On the first series of questions you'll be asked if you want to disable the SUID root bit, which allows ordinary users to run commands that require root privileges, on certain commands. At first glance you might think "of course I don't want SUID root commands! What an obvious security hole!" But don't be in a hurry to say yes. For example, do you really want to require a root login to use mount or ping? Unprivileged users won't be able to mount removable media like CDs, and ping is hardly a weapon of mass destruction. If you say "Yes" and then change your mind later, use chmod to restore the SUID bit:

# chmod u+s ping

You should periodically check for SUID-enabled files anyway, just to keep an eye out for mischief or forgotten experiments. Run this command to see a list of them:

Should Bastille disable clear-text r-protocols that use IP-based authentication?
Yes. This includes rsh, rlogin, rcp, rdist, which send all traffic in cleartext. You shouldn't be using these anyway, as they have long been supplanted by ssh and scp.

Would you like to password protect single-user mode?
Yes. If there is no password, then anyone can gain root privileges by rebooting to single-user mode.

Should Bastille ensure the telnet service does not run on this system?
Not only Yes, but Heck Yes, unless you are absolutely positively 100 percent certain you wish to leave it running. Telnet is completely insecure. This is not the same as disabling the telnet client, which is still useful for network troubleshooting.

Disabling the gcc compiler isn't much of a security measure. If you need it, don't disable it. If you don't need it, remove it.

Would you like to put limits on system resource usage?
It's pretty safe to answer Yes. Core dumps aren't all that helpful to end users and can grow very large. Setting a limit on user processes is usually a good idea. Use this command to count user processes, so you'll know if Bastille's limit of 150 is enough:

$ ps --no-headers -U [username] | wc -l

You can change these in /etc/security/limits.conf.

Would you like to add additional logging?Yes, you would.

The firewall script is pretty good, but it doesn't give you enough information on what to do with which ports. Take a look at this list of dangerous TCP/IP ports. It will help you decide what to monitor or block. You'll need to figure out for yourself if you need to open holes in your firewall for services, such as SSH, or name or Web servers. Bastille accepts either port numbers or service names, according to /etc/services. This page lists ICMP types, if you want to monitor these or just know what they are. You cannot block all ICMP messages without messing up basic networking functions; Bastille's defaults are fine.

When you reach the end, you can either activate the changes, or go back and make changes. Bastille tells you how to start, stop, and test your firewall script. Look in /etc/Bastille to see your new scripts, and /var/log/Bastille for a record of everything it did.

Do this a few times on different servers and desktop PCs, and you'll have a good education in the basics of hardening Linux systems.